[13.x] base64_decode without strict mode in Encrypter and DatabaseSessionHandler

[abdallahk]

Description

Security-critical paths use base64_decode() without the strict parameter, which means non-base64 characters are silently ignored rather than causing a rejection.

Encrypter

File: src/Illuminate/Encryption/Encrypter.php

Payload decoding (line 238):

$payload = json_decode(base64_decode($payload), true);

IV decoding (line 159):

$iv = base64_decode($payload['iv']);

Without strict mode, base64_decode() silently strips invalid characters. A tampered payload with injected non-base64 characters may still decode to valid-looking data.

Note: The tag field should NOT use strict mode because ensureTagIsValid() relies on is_string() to detect unexpected tags on non-AEAD ciphers. Strict mode would return false instead of a string, bypassing that validation.

DatabaseSessionHandler

File: src/Illuminate/Session/DatabaseSessionHandler.php line 107

return base64_decode($session->payload);

Corrupted or tampered session payloads in the database may be silently accepted instead of rejected.

Suggested Fix

// Encrypter.php — payload
$decoded = base64_decode($payload, true);
if ($decoded === false) {
    throw new DecryptException('The payload is invalid.');
}
$payload = json_decode($decoded, true);

// Encrypter.php — IV
$iv = base64_decode($payload['iv'], true);
if ($iv === false) {
    throw new DecryptException('The payload is invalid.');
}

// Encrypter.php — tag (keep non-strict for ensureTagIsValid compatibility)
$tag = empty($payload['tag']) ? null : base64_decode($payload['tag']);

// SessionHandler.php
$decoded = base64_decode($session->payload, true);
return $decoded !== false ? $decoded : '';

Versions

• All current Laravel versions

[abdallahk]

Fix submitted in #59366.